Вы находитесь на странице: 1из 41
AUTOMATION AND ORCHESTRATION R80.10 Ryan Darst| Solution Manager Central and North East US ©2017 ©2017

AUTOMATION AND

ORCHESTRATION

R80.10

Ryan Darst| Solution Manager

Central and North East US

Intro to APIs

Intro to APIs ©2017 Check Point Software Technologies Ltd. 2

REST APIs ?? , what is that?

REST APIs ?? , what is that? • Is the mechanism that allows for systems to

Is the mechanism that allows for systems to acesss , manipulate , delete , change , add

resources on an application via web services.

Rest APIs are called via standard URLs , for example:

̶ https://r80-mgmt/web_api/add_host

The application exposes HTML calls such as : get/post/put/delete , etc.

The data being exchanged can be in formats such as:

̶ HTML , JSON , XML.

R80 SmartCenter/MDM
R80 SmartCenter/MDM
https://r80mgmt/web_api/add_host
https://r80mgmt/web_api/add_host

API Documentation

API Documentation • The documentation for the installed version is available at https://mgmt-ip/api_docs ̶ ̶ ̶

The documentation for the installed version is available at

̶

̶

̶

API server must be enabled

Client must be a trusted client/GUI client

All four methods of using the API are documented

client • All four methods of using the API are documented ©2017 Check Point Software Technologies

Enabling the API

Enabling the API ©2017 Check Point Software Technologies Ltd. [Protected] Non-confidential content 5
Enabling the API ©2017 Check Point Software Technologies Ltd. [Protected] Non-confidential content 5

What type of APIs does R80 use?

What type of APIs does R80 use? • Web Services Rest APIs with a JSON style

Web Services Rest APIs with a JSON style format for the HTTP body

Most Calls are “POST” requests

style format for the HTTP body • Most Calls are “POST” requests ©2017 Check Point Software

R80 Architecture

R80 Architecture ©2017 Check Point Software Technologies Ltd. 7
R80 Architecture ©2017 Check Point Software Technologies Ltd. 7

How do I use/test the API calls ?

How do I use/test the API calls ? ©2017 Check Point Software Technologies Ltd. 8

Always remember the flow

Login
Login

https://<mgmt>/web_api/login

Send Rest Action
Send Rest
Action

https://<mgmt>/web_api/add-host

Publish Logout
Publish
Logout

https://<mgmt>/web_api/publish

https://<mgmt>/web_api/logout

Install Policy
Install Policy

https://<mgmt>/web_api/install_policy

Testing the API calls

CURL

̶ Very useful for simple bash scripts

Testing the API calls • CURL ̶ Very useful for simple bash scripts ©2017 Check Point
Testing the API calls • CURL ̶ Very useful for simple bash scripts ©2017 Check Point

Testing the API calls

Postman

̶ Can import R80 collections

̶ Can export calls as scripts

Postman ̶ Can import R80 collections ̶ Can export calls as scripts ©2017 Check Point Software
Postman ̶ Can import R80 collections ̶ Can export calls as scripts ©2017 Check Point Software

Testing the API calls

REST API Demo Tool (Check Point)

Testing the API calls • REST API Demo Tool (Check Point) ©2017 Check Point Software Technologies
Testing the API calls • REST API Demo Tool (Check Point) ©2017 Check Point Software Technologies

Other ways

Programing languages

̶ Python

̶ PHP

̶ Perl

̶ Java , etc

Automation Tools

̶ Ansible (ansible library available)

̶ OpenStack Heat

Tools ̶ Ansible (ansible library available) ̶ OpenStack Heat ©2017 Check Point Software Technologies Ltd. 13

Don’t forget about the mgmt_cli and smartconsole

CLI

Don’t forget about the mgmt_cli and smartconsole CLI Web Services API Rest APIs / JSON format
Web Services API Rest APIs / JSON format
Web
Services API
Rest APIs /
JSON
format
Mgmt CLI [Expert@r80mgmt:0]# mgmt_cli login Shell Scripting
Mgmt CLI
[Expert@r80mgmt:0]#
mgmt_cli login
Shell Scripting
SmartConsole Command Line Faster Operations
SmartConsole
Command
Line
Faster
Operations

R80 Layers and Sessions Review

R80 policies are made up of layers

̶ Layers can be inline and/or ordered

̶ RBA can be delegated to specific layers

and/or ordered ̶ RBA can be delegated to specific layers • Sessions are what is used

Sessions are what is used to achieve admin concurrency

̶ Think of the automated API working along with users in the system

̶ Sessions are private until they are published

Let’s do some fun stuff

Let’s do some fun stuff ©2017 Check Point Software Technologies Ltd. 16

Lab Setup

Lab Setup • https://cpxlab-##.cpmarco.com/guacamole ̶ user: cpx2017/ pw: cpx2017 • SmartConsole: ̶ user: admin/

https://cpxlab-##.cpmarco.com/guacamole

̶ user: cpx2017/ pw: cpx2017

SmartConsole:

̶ user: admin/ pw: cpx2017

Setting up the SmartConsole to accept API calls

Setting up the SmartConsole to accept API calls Manage & Settings -> Blades -> Management API

Manage & Settings -> Blades -> Management API -> Advanced Settings

-> Blades -> Management API -> Advanced Settings After Publish - > Logon to the R80

After Publish -> Logon to the R80 Server via CLI and type “api restart”

Setup Postman

Turn off SSL certificate verification

Setup Postman • Turn off SSL certificate verification ©2017 Check Point Software Technologies Ltd. 19
Setup Postman • Turn off SSL certificate verification ©2017 Check Point Software Technologies Ltd. 19

Setup Postman - Environment

Setup Postman - Environment • Click “the icon shown bellow” - > “Manage Environment” - >

Click “the icon shown bellow” -> “Manage Environment” -> “Globals

- > “Manage Environment” - > “ Globals ” • Add under the “server” value :

Add under the “server” value : “https://10.0.102.100/web_api , and save

the “server” value : “https://10.0.102.100/ web_api , and save ©2017 Check Point Software Technologies Ltd. 20

Now we are ready to build some stuff

Login
Login

https://<mgmt>/web_api/login

Send Rest Action
Send Rest
Action

https://<mgmt>/web_api/add-host

Publish
Publish

https://<mgmt>/web_api/publish

Logout
Logout
Install Policy
Install Policy

https://<mgmt>/web_api/install_policy

Lab 01

Login

- Save the token

- Create a host object

- Publish

- Logout

01 Login - Save the token - Create a host object - Publish - Logout ©2017

Lab 01 Continuation

Lab 01 Continuation ©2017 Check Point Software Technologies Ltd. 23
Lab 01 Continuation ©2017 Check Point Software Technologies Ltd. 23

Lab 02

https://10.0.102.100/api_docs/

Lab 02 https://10.0.102.100/api_docs/ ̶ Create Group ̶ Create Host Object and Add it to the group

̶ Create Group

̶ Create Host Object and Add it to the group in a single call.

̶ Publish

Lab 03

̶ Create a new policy package called “CPXTraining

̶ Add a new section tittle on the top called - "Admin Access”

̶ Add another section tittle below called - "CPX Access”

̶ Add a new rule on section Admin Access

̶ Add a new rule on section CPX Access

̶ Publish

Policy Package: CPX2017

Network

CPX2017 Network

Policy Package: CPX2017 Network CPX2017 Network ©2017 Check Point Software Technologies Ltd. 25

Lab 04

Lab 04 • Create a gateway object (add-simple-gateway) with SIC ̶ Gateway Name: vsec-gw ̶ Version

Create a gateway object (add-simple-gateway) with SIC

̶ Gateway Name: vsec-gw

̶ Version : R77.30

̶ Blades FW, IPS, Anti-Bot, Anti-Virus, and Threat-Emulation

̶ Gateway IP: 10.0.102.10

̶ SIC PW : cpx2017

̶ Interfaces: (Antispoofing off)

̶ Eth0 : 10.0.100.10/24 External

̶ Eth1 : 10.0.101.10/24 Internal

̶ Eth2 : 10.0.102.10/24 Internal

̶ Color: Blue

̶ Publish

Lab 04

Lab 04 • Push the Standard Policy to the new gateway • Check the task id

Push the Standard Policy to the new gateway Check the task id that was given and see when it completes Check your access to ssh to the internal-host with Putty

Don’t feel like typing it all in ?

Sample calls (json) are here

̶

automation/sample_json_calls.txt ©2017 Check Point Software Technologies Ltd. 28

Useful commands

To troubleshoot the API calls

tail f $FWDIR/log/api.elg

Check the API status api status

Restart the API api restart

• Check the API status api status • Restart the API api restart ©2017 Check Point

MGMT_CLI

Available for GAIA , Linux , Windows

̶ Easy to use:

̶ Sample:

for GAIA , Linux , Windows ̶ Easy to use: ̶ Sample: mgmt_cli login | tee

mgmt_cli login | tee session.txt mgmt_cli show-objects -s session.txt mgmt_cli add host name ”cpx-host3" ip-address “10.1.1.1“ –s session.txt

mgmt_cli publish -s session.txt

mgmt_cli logout s session.txt

mgmt_cli

- bulk add objects

Create a CSV file

For example:

name,ip-address,color,comments

cpx1,1.1.1.100,blue,batch

cpx2,1.1.1.101,blue,batch

cpx3,1.1.1.102,blue,batch

Run mgmt_cli with the batch function:

mgmt_cli login | tee session.txt

mgmt_cli add-host -b csvfile.csv -s session.txt mgmt_cli publish s session.txt

-b csvfile.csv -s session.txt mgmt_cli publish – s session.txt ©2017 Check Point Software Technologies Ltd. 31

MGMT_CLI Lab

MGMT_CLI Lab • Using the mgmt_cli , create a csv file and add a list of

Using the mgmt_cli , create a csv file and add a list of hosts with the batch function.

Using the mgmt_cli , create a csv file and add a list of services with the batch function.

Using the mgmt_cli , create a csv file and add a list of rules with the

batch function from the hosts and services created earlier

Mgmt_CLI in SmartConsole

Mgmt_CLI in SmartConsole • Now use the mgmt_cli, try it in SmartConsole • Change the color

Now use the mgmt_cli, try it in SmartConsole

Change the color of a host

Add a new UDP service

Notice where the publish occurs!

a host • Add a new UDP service • Notice where the publish occurs! ©2017 Check

Changes using Clish

Changes using Clish • Use the API from clish on your management server • Add a

Use the API from clish on your management server

Add a new host and set the color to blue

Add a new tcp service

Add a new host and set the color to blue • Add a new tcp service

Sample Scripts (shell)

Sample Scripts (shell) • On your lab , open the orchestrator (SSH), under the /scripts folder

On your lab , open the orchestrator (SSH), under the /scripts folder

̶ Go to /scripts/r80_shell_scripts

̶ Run : ./create-host

Verify that is on the dashboard

̶ Run: ./delete-host

On your Management Server under /home/admin/R80_Scripts

̶ Run the Create* scripts bash Create_All

̶ Run the Delete_All Script

̶ Review the scripts and see how it is done!

Sample Scripts (python)

On your lab (orchestrator) go to:

̶

/scripts/r80_python_scripts

̶ r80_apis.py (sample library created from rest API scripts)

̶ add_host.py

̶ add_hosts_from_csv.py

̶ add_rulebase_from_csv.py

̶ delete_rulebase_from_csv.py

̶ delete_hosts_from_csv.py

̶ delete_host.py

̶ add_hosts_from_csv_staging.py

̶ delete_host.py ̶ add_hosts_from_csv_staging.py ©2017 Check Point Software Technologies Ltd. 36

Ansible

Ansible • Ansible library provided by CP - See “sk114661” • Automate and orchestrate the build

Ansible library provided by CP - See “sk114661”

Automate and orchestrate the build of your infrastructure , including security policies , rules and objects using ansible and CP.

̶ On your lab go to /etc/ansible/

Example ansible-playbook cpx_add_host_w_inputs.yml extra-vars ip=1.2.3.4 host=myhost

Sample Portal

https://<your ip>/cpportal

̶ User: api_user PW: cpx2017

• https://<your ip>/cpportal ̶ User: api_user PW: cpx2017 ©2017 Check Point Software Technologies Ltd. 38

Where do I download the sample files from?

Where do I download the sample files from? https://s3-us-west-2.amazonaws.com/cpx2017-automation/list.html • It will be

It will be available for the next 30 days.

Script Repositories

​ Script Repositories • Exchange Point https://community.checkpoint.com ©2017 Check Point Software Technologies Ltd.
​ Script Repositories • Exchange Point https://community.checkpoint.com ©2017 Check Point Software Technologies Ltd.

Exchange Point

THANK YOU ©2017 ©2017 Check Check Point Point Software Software Technologies Technologies Ltd. Ltd. 41

THANK YOU